[Bug 34163] New: CSRF error if try OAuth2/OIDC after logout
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Bug ID: 34163 Summary: CSRF error if try OAuth2/OIDC after logout Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org If you do a local log into Koha, then logout, then try to do a OAuth2/OIDC log in, you'll get a CSRF error. The reason is that Koha is generating the CSRF token using an id like "anonymous_58d273f40cb20ff0aacab829aaf935fc" but checking it with an id of "_58d273f40cb20ff0aacab829aaf935fc". This is because we're not properly checking the C4::Context->userenv and/or it seems like it's not getting properly set after a logout. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Note that if you do a OIDC login, then a Koha logout, then a OIDC login - it will probably work because you still have a session with your IDP. This appears to be an edge case, although I'll check with the person originally talking about it on the listserv... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |33675 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 [Bug 33675] Add CSRF protection to OAuth/OIDC authentication -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Created attachment 152880 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=152880&action=edit Bug 34163: Handle both anonymous userenv when generating CSRF tokens An anonymous session might have a userenv which is undef or which is a hashref of undef/empty values. This patch generates the "anonymous" prefix for undef/empty 'id' values, which prevents CSRF errors when logging in via OAuth2/OIDC following a Koha logout. Test plan: Before applying patch: 1. Go to https://wiki.koha-community.org/wiki/Testing_SSO 2. Set up OpenID Connect realm, user, client, and Koha integration to Keycloak for koha-testing-docker as noted in the wiki 3. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1 4. Click on OIDC "Log in with XXXX" button and log into IDP 5. Note that you're not logged in and you instead see an error message like: "There was an error authenticating to external identity provider wrong_csrf_token" 6. Apply patch 7. Go to "Sessions" section of the test realm in Keycloak e.g. http://sso:8082/auth/admin/master/console/#/test/sessions 8. Click "Action" on the far right side of the screen 9. Choose "Sign out all active sessions" After applying patch: 10. koha-plack --restart kohadev 11. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1 12. Click on OIDC "Log in with XXXX" button and log into IDP 13. Note that you're logged in 14. prove t/Token.t 15. Note all tests pass -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |michaela.sieber@kit.edu -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Michaela Sieber <michaela.sieber@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |clemens.tubach@kit.edu, | |lukasz.koszyk@kit.edu -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Michaela Sieber <michaela.sieber@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=34755 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com Severity|minor |major --- Comment #3 from Tomás Cohen Arazi <tomascohen@gmail.com> --- You can no longer login after a logout. I wouldn't consider it an edge case it minor. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #152880|0 |1 is obsolete| | --- Comment #4 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 155548 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155548&action=edit Bug 34163: Handle both anonymous userenv when generating CSRF tokens An anonymous session might have a userenv which is undef or which is a hashref of undef/empty values. This patch generates the "anonymous" prefix for undef/empty 'id' values, which prevents CSRF errors when logging in via OAuth2/OIDC following a Koha logout. Test plan: Before applying patch: 1. Go to https://wiki.koha-community.org/wiki/Testing_SSO 2. Set up OpenID Connect realm, user, client, and Koha integration to Keycloak for koha-testing-docker as noted in the wiki 3. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1 4. Click on OIDC "Log in with XXXX" button and log into IDP 5. Note that you're not logged in and you instead see an error message like: "There was an error authenticating to external identity provider wrong_csrf_token" 6. Apply patch 7. Go to "Sessions" section of the test realm in Keycloak e.g. http://sso:8082/auth/admin/master/console/#/test/sessions 8. Click "Action" on the far right side of the screen 9. Choose "Sign out all active sessions" After applying patch: 10. koha-plack --restart kohadev 11. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1 12. Click on OIDC "Log in with XXXX" button and log into IDP 13. Note that you're logged in 14. prove t/Token.t 15. Note all tests pass Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 --- Comment #5 from Tomás Cohen Arazi <tomascohen@gmail.com> --- *** Bug 34755 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |27849 --- Comment #6 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Caused by 27849, highlighted by 34163 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27849 [Bug 27849] Koha::Token may access undefined C4::Context->userenv -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |critical -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |23.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 --- Comment #7 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.11. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m Version(s)|23.11.00 |23.11.00,23.05.04 released in| | Status|Pushed to master |Pushed to stable --- Comment #8 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.05.x for 23.05.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable Version(s)|23.11.00,23.05.04 |23.11.00,23.05.04,22.11.10 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 --- Comment #9 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Nice work everyone! Pushed to oldstable for 22.11.x -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org